Saturday, December 3, 2011

Timing Attacks on CSS Shaders

CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force. Rather than being limited to pre-canned effects, such as gradients and drop shadows, CSS Shaders would let web developers apply arbitrary OpenGL shaders to their content. That makes for some really impressive demos. Unfortunately, CSS Shaders has a security problem.

To understand the security problem with CSS Shaders, it's helpful to recall a recent security issue with WebGL. Similar to CSS Shaders, WebGL lets developers use OpenGL shaders in their web applications. Originally, WebGL let these shaders operate on arbitrary textures, including textures fetched from other origins. Unfortunately, this design was vulnerable to a timing attack because the runtime of OpenGL shaders can depend on their inputs.

Timing attacks are difficult to mitigate because once the sensitive data is present in the timing channel it's very difficult to remove. Using techniques like bucketing, we can limit the number of bits an attacker can extract per second, but, given enough time, the attacker can still steal the sensitive data. The best solution is the one WebGL adopted: prevent sensitive data from entering the timing channel. WebGL accomplished this by requiring cross-origin textures to be authorized via Cross-Origin Resource Sharing.

There's a direct application of this attack to CSS Shaders. Because web sites are allowed to display content that they are not allowed to read, an attacker can use a Forshaw-style CSS shader read confidential information via the timing channel. For example, a web site could use CSS shaders to extract your identity from an embedded Facebook Like button. More subtly, a web site could extract your browsing history bypassing David Baron's defense against history sniffing.

However, it seems difficult to mount such an attack with CSS shaders because the means to measure the time taken by a cross-domain shader are limited.

Now, I don't have a proof-of-concept attack, but this claim is fairly dubious. The history of timing attacks, including other web timing attacks, teaches us that even subtle leaks in the timing channel can lead to practical attacks. Given that we've seen practical applications of the WebGL version of this attack, it seems quite likely CSS Shaders are vulnerable to timing attacks.

Specifically, there are a number of mechanisms for timing rendering. For example, MozBeforePaint and MozAfterPaint provide a mechanism for measuring paint times directly. Also, the behavior of requestAnimationFrame contains information about rendering times.

Without a proof-of-concept attack we cannot be completely certain that these attacks on CSS Shaders are practical, but waiting for proof-of-concept attacks before addressing security concerns isn't a path that leads to security.

682 comments:

I've also been wondering whether SVG filters could be used for a similar attack. SVG filters aren't programmable like shaders are, so you couldn't directly affect the timing. However it might be possible to make a filter that is quicker for a certain pixel values due to various optimisations in the filter algorithms (e.g. a black pixel might be very quick to process because the output would always be zero for a particular filter). Or you could find a combination of filters that hits some edge case that takes particularly long to process for some pixel values (maybe involving alpha or something)

a essay editor will transform ones essay coming from for ordinary custom essay writing services uk in to a refined AS WELL AS concise essay. you have quite possibly spent the considerable amount connected with day a lot more than your own academic assignment. your own next step can be in order to polish It to help perfection. This can be possible pertaining to you, like a writer, to be able to overlook the errors that you can have committed.

Frequent people demand special discounts and also other cheap business arrivals. It is because that they vacation on a day-to-day basis. Few air arrivals corporations consider these kind of people while many will not.discount travel

world-wide-web design deals from the location regarding designing a site AS WELL AS on the lengthy operate updating AS WELL AS maintaining. from the world wide web boom, every firm wants to have an on the internet footprint AND the website is The best way to showcase one's skills IN ADDITION TO business IN ADDITION TO kindle the curiosity regarding potential customers.CMS for web designers

The HTML reports can be shown utilizing diverse yield styles. HTML labels were initially intended to characterize the substance of a report. Falling web-designing Styles sheets characterize how HTML components are to be shown.

Primeau Productions is your current full-service online video media production company, throughout company intended for over 30 years. Primeau Productions owes its success immediately towards the results The idea achieves due to the clients. i are a results-oriented company, As established via MY PERSONAL published listing of long-term, repeat customers.keynote-speaker-demo-video-production

It's a fact that your blog posts are so unique and interesting and I enjoys a lot while reading your posts because you explained your post very deeply in a very easy and clear language. Thanks for your support and Happy Blogging :D

A great possibility for me and it was a superb knowledge to view this site. Very difficult to uncover these beneficial web page or web site. I have many devices and achieving proper picture of these worked well and energy continues to be seeing about this weblog. Often my own intend to make my personal site as well as my agariopacmanplants vs zombiessolitairehappy wheelscar games

It's a fact that your blog posts are so unique and interesting and I enjoys a lot while reading your posts because you explained your post very deeply in a very easy and clear language. Thanks for your support and Happy Blogging :DHostGatorCouponCodesFactory

Good day! This is my first comment here so I just wanted to give a quick shout out and say I truly enjoy reading through your articles.Can you recommend any other blogs/websites/forums that dealwith the same subjects? Appreciate it!

It is a really nice and awesome post.....by reading this i understand that you are awesome... Thanks, Superb Post it really helpful for me ,And also can u please help me to fix my website design as well.

Posts shared useful information and meaningful life, I'm glad to be reading this article and hope to soon learn the next article. thank youSignature:Download retrica online includes more than eighty different filters with many different styles and include retrica indir , and zombie tsunami is the ideal game for anyone who loves the running game genre and happy wheels , agario , happywheels , agar ,

Keep publishing and I will definitely be back again soon. Many thanks and take care.Wholesale Vintage Pin Up Lingerie Burlesque Costumes Corsets, 1950s burlesque lingerie and costumes for pin up girls and performers.|Latexcorsets.com

Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know.

I truly believe that everything that we do and everyone that we meet is put in our path for a purpose. There are no accidents; we're all teachers - if we're willing to pay attention to the lessons we learn, trust our positive instincts and not be afraid to take risks or wait for some miracle to come knocking at our door.- Quotes about love- Fancam Kpop

Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here! earn to dieHi! I’ve been reading your blog for a while now and finally got the courage to go ahead and give youu a shout out from Austin Texas! Just wanted to tell you keep up the fantastic work!my weblog:tank trouble tank trouble

Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here!

hotmail sign in Hotmail is an email account of Microsoft Corporation. Like Google’s Gmail, it is full of the features of a regular email.

hotmail login Hotmail was previously a quite popular email service. It has the features and utilities similar to other email services, but users encountered many annoying issues, and even lost fees they had paid for this service.

recover hotmail password Therefore, there are many users who have a registered Hotmail account but no longer wish to use it as they are unhappy with the service.

sign in to Hotmail At this time, some users sought to remove their Hotmail account, but has some difficulties as it is a complicated process.

Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came hereyou keep up the fantastic work!my weblogage of war Hi! I’ve been reading your blog for a while now and finally got thehappy wheels

Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know.

Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know.

Thanks for the best blog.it was very useful for me.keep sharing such ideas in the future as well.this was actually what i was looking for,and i am glad to came here! Tank troubleHi! I’ve been reading your blog for a while now and finally got the courage to go ahead and give youu a shout out from Austin Texas! Just wanted to tell you keep up the fantastic work!my weblog: Earn to die